CVE-2025-35062
Published: 09 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-35062 affects Newforma Info Exchange (NIX) versions before 2023.1, where anonymous authentication is enabled by default. This misconfiguration, mapped to CWE-276 (Incorrect Default Permissions), allows unauthenticated attackers to bypass authentication controls and access additional vulnerabilities that require login credentials. The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact over the network.
Unauthenticated attackers with network access can exploit this vulnerability due to its low attack complexity and lack of required privileges or user interaction. By leveraging anonymous authentication, they can chain it with other authentication-dependent flaws in NIX, achieving unauthorized access that results in limited disclosure of sensitive information, as reflected in the CVSS metrics.
Advisories provide further guidance on mitigation, including the CISA CSAF document at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-282-01.json and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2025-35062. Upgrading to NIX version 2023.1 or later addresses the default anonymous authentication setting.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Anonymous authentication enabled by default in public-facing Newforma Info Exchange allows unauthenticated network attackers to bypass controls and gain unauthorized access, directly enabling T1190: Exploit Public-Facing Application.